Mobile devices are essential business tools, not accessories. Employees expect to work from anywhere on any device. Organizations must enable this productivity while managing security, compliance, and support complexity.
Enterprise mobility strategy addresses how organizations approach devices, applications, and data in the mobile context. This guide provides a framework for developing and implementing effective mobility strategy.
The Mobility Landscape
Current State Dynamics
Employee expectations: Flexibility to work from any device, anywhere.
BYOD reality: Personal devices used for work whether sanctioned or not.
Application proliferation: Mobile versions of business applications multiplying.
Security exposure: Mobile devices creating new attack surfaces.
Compliance complexity: Regulatory requirements extending to mobile.
Strategic Objectives
Mobility strategy balances:
Productivity: Enabling employees to work effectively on mobile devices.
Security: Protecting organizational data on devices that are lost, stolen, or compromised.
Experience: Providing good user experience that encourages appropriate use.
Efficiency: Managing mobile environment cost-effectively.
Compliance: Meeting regulatory requirements for data protection.
Mobility Strategy Framework
Domain 1: Device Strategy
How devices are acquired and managed:
Ownership models:
Corporate-owned, business only (COBO):
- Organization provides and owns device
- Business use only
- Maximum control
- Highest cost, least flexibility
Corporate-owned, personally enabled (COPE):
- Organization provides device
- Personal use allowed
- Strong control with some flexibility
- Balance of control and experience
Choose your own device (CYOD):
- Employee chooses from approved list
- Organization usually pays
- Standardization with choice
- Manageable support complexity
Bring your own device (BYOD):
- Employee uses personal device
- Organization may subsidize
- Maximum flexibility
- Privacy and support challenges
Device management approach:
- Unified Endpoint Management (UEM) platforms
- Mobile Device Management (MDM) capabilities
- Mobile Application Management (MAM) for BYOD
- Conditional access policies
Domain 2: Application Strategy
Mobile access to business applications:
Application types:
Native mobile apps:
- Purpose-built for mobile devices
- Best user experience
- Development and maintenance cost
- Per-platform development
Mobile web apps:
- Web application optimized for mobile
- Cross-platform by nature
- Less native capability access
- Simpler development
Progressive web apps:
- Web apps with native-like features
- Single codebase
- Increasing capability parity
- Modern approach for many use cases
Application delivery:
- Enterprise app stores
- MDM-pushed applications
- Container-based delivery
- Virtual/remote applications
Domain 3: Security Architecture
Protecting data and access:
Device security:
- Encryption requirements
- Passcode policies
- Jailbreak/root detection
- Remote wipe capability
Data security:
- Data separation (personal/business)
- Data loss prevention
- Copy/paste restrictions
- Secure containers
Access security:
- Strong authentication (MFA)
- Conditional access based on device state
- Zero trust principles
- Certificate-based authentication
Threat protection:
- Mobile threat defense (MTD)
- Phishing protection
- Malware detection
- Network security
Domain 4: Management and Operations
Running the mobile environment:
Management capabilities:
- Device enrollment and provisioning
- Configuration management
- Patch and update management
- Inventory and compliance tracking
Support operations:
- Help desk for mobile issues
- Self-service capabilities
- Knowledge base and guidance
- Remote support tools
Lifecycle management:
- Onboarding and enrollment
- Ongoing compliance monitoring
- Offboarding and device wipe
- Refresh and replacement
Implementation Approach
Assessment
Understanding current state:
Inventory: What devices are in use? What applications are accessed?
Risk assessment: What are current mobile security gaps?
User needs: What do employees need to do on mobile?
Capability gaps: What's missing in current management?
Policy Development
Defining the rules:
Acceptable use: What's permitted and prohibited on mobile devices.
Security requirements: Requirements for accessing organizational resources.
BYOD policy: Terms for personal device use including privacy, support, and security.
Compliance: Regulatory requirements affecting mobile.
Technology Selection
Choosing platforms:
UEM platform selection:
- Feature requirements
- Platform ecosystem fit (Microsoft, Google, independent)
- Total cost of ownership
- Integration with identity and security
Security tool selection:
- Mobile threat defense needs
- Integration with UEM
- Endpoint detection and response
Rollout and Adoption
Going live:
Phased rollout: Start with pilot groups; expand with learning.
User communication: Clear explanation of what's changing and why.
Training: How to use new capabilities and meet requirements.
Support preparation: Ready to handle questions and issues.
Key Takeaways
-
Mobile is mainstream: This is core infrastructure, not optional technology.
-
Ownership model matters: BYOD, COPE, and COBO have different trade-offs.
-
Security is essential but must be balanced: Security that prevents productivity will be circumvented.
-
User experience drives adoption: Cumbersome security and management drives shadow IT.
-
Zero trust principles apply: Device state should be factor in access decisions.
Frequently Asked Questions
Should we allow BYOD? Often practical since it's likely happening anyway. Frame question as how to enable BYOD securely rather than whether to allow it.
What about employee privacy on BYOD? Use application-level management (MAM) rather than full device management where possible. Clear communication about what is and isn't visible to IT.
Which UEM platform should we use? Depends on existing ecosystem. Microsoft shops often choose Intune; Google-centric may choose Workspace MDM; others may choose independent (VMware, Jamf).
How do we handle mobile for regulated industries? Additional controls: stronger encryption, container-based separation, more restrictive policies, audit and compliance reporting.
What about mobile for field workers? May need rugged devices, specific applications, and offline capability. Specialized use cases require tailored solutions.
How do we measure mobility program success? Metrics include: enrollment compliance, security posture, support ticket volume, user satisfaction, and application adoption.